The Heath Information Technology for Economic and Clinical
Health (HITECH) Act of 2009 calls for certain changes to previously issued HHS
rules regarding privacy of individuals’ medical records (the Privacy Rule),
security of electronic health records (Security Rule), and enforcement of the
security and privacy provisions (Enforcement Rule). The current rule proposal encompasses the HITECH
modifications for all three HIPAA rules.

Generally, the proposed rules are a step forward in ensuring
that individuals have control over their private medical information.
Additionally, HITECH and the proposed rules also add much needed force to HHS’s
responsibility and ability to enforce and remedy violations. We limit our
comments here to issues concerning proposed modifications to the Privacy Rule
and the proposal to establish educational programs within Office of Civil
Rights (OCR) Regional Offices.

2. Treatment
Communications

HITECH limits marketing communications in instances where a
covered entity receives payment for making the communication. As proposed, the HHS
would exclude from marketing any communication made by a covered entity to an
individual about alternative treatments, therapies, health care providers, or
settings of care. If the covered entity receives payment from a third party for
making the communication, the individual must be given notice and an
opportunity to opt out. Notice would be
included on the covered entity’s notice of privacy policy.

HHS solicits comment on how the opt out should apply to
future subsidized treatment communications and whether individuals should be
given an opportunity to opt out of receiving treatment communications before
receiving such communications. HHS, unfortunately, is not considering the
alternative of establishing an opt in, or authorization of the individual to
receive treatment communications.

First, we believe the exclusion of treatment communications
from the definition of marketing creates a significant loophole in HITECH’s
general assumption that communications made for payment are marketing
communications that require the individual’s valid authorization. The HITECH
provision is really quite simple: If payment from a third party is involved,
the communication is marketing. As long as remuneration is involved, there are
no safeguards to ensure that communications are made for the patient’s benefit
and not commercial gain. HHS should reconsider the treatment exception.

In the alternative, patient consent, or an opt in, should be
provided when a covered entity receives remuneration for advising patients about
various treatments or health-related products. Including an opt-out opportunity
with the covered entity’s required privacy notice is insufficient to allow
patients to make an informed choice. It is almost certain that few patients
actually read multiple-page privacy notices.

When a patient appears for an appointment, the most
important thing on their mind is to receive treatment for their current
condition. If HHS persists in its proposal to allow only an opt out for paid
treatment communications, as a minimum the opt out should be presented in a
separate document apart from the covered entity’s notice of privacy practices. This
approach, however, would provide a weak alternative to a true opt in.

An opt out not only fails to give patients adequate notice,
but also creates an additional burden for the provider. Under the proposed
scheme, a provider would be required to establish a toll-free number, an e-mail
address or some other mechanism for processing opt-out requests.

A less burdensome scheme for providers and patients would be
for HHS to categorize all communications that involve remuneration from a third
party as marketing. Then a provider that receives payment from a third party could
simply ask for the patient’s authorization at the time treatment is first
received. This would reduce patient confusion and avoid the necessity for the
provider to revise privacy notices and establish a mechanism to process patient
opt-out requests.

In the end, an opt-out scheme is simply unworkable as a
means to putting patients on notice. The proposed rules also lack a way for the
patient to verify that their opt out has been processed. In addition to failure
to inform patients and added burdens on covered entities, an opt-out scheme
creates another layer of enforcement responsibilities for HHS, one that is
likely to receive low priority.

3. Educational
Programs within Regional Offices

In addition to modifications to the Privacy, Security and
Enforcement Rules, HITECH requires HHS to designate regional office privacy
advisors to offer guidance and education. Education and guidance will be
available for covered entities, business associates, and individuals. HHS, in
the current rulemaking, has not requested comment on the extent or focus of
such education. However, the PRC takes this opportunity to suggest some areas
of guidance that would be helpful to individuals and covered entities alike.

Questions about medical privacy are one of the top reasons
consumers call the PRC or submit written questions. This experience makes the
PRC uniquely qualified to suggest areas where individuals need guidance and
education. We note that PRC also frequently receives questions from covered
entities and attorneys who are acting on behalf of patients or covered entities.

Major areas of concern evident from our public inquiries are:
(1) careless handling of medical records; (2) undue restrictions placed on
access to records; and (3) questions about personal information patients must
supply to health care providers and insurers.

A. Careless Handling of Medical Records

Careless handling of medical records has prompted several
complaints to the PRC in recent months. Typically, the individual who contacts
PRC has ordered their own medical records by mail and receives another person’s
records instead. In some cases, the individual receives some of his or her
records mixed with another person’s records. Others have complained of repeated
attempts to stop a covered entity from faxing patient records to the wrong fax
number. In another instance, a person left a hospital thinking the package
contained her own medical records only to later find that the package included
records of multiple other patients.

B. Undue Restrictions on Access to Medical
Records

Individuals have also reported undue restrictions, not
included in HIPAA, placed on their ability to get copies of medical records.
For example, some patients have been told they cannot get copies of their
medical records unless an outstanding medical bill is paid. Others have been
told the office charges a flat rate for copies of medical records. In one
instance the patient’s notarized signature was required before records were
provided. We do not believe such instances represent ill will on the part of
providers, but rather a lack of adequate training, particularly for small
providers.

C. Identifying Information Required

Forms of identity required to provide treatment or health
insurance has also raised a number of privacy concerns. Individuals have
reported being required to provide copies of their Social Security card or
driver’s license. Others have reported cameras in treatment offices or being
required to be photographed.

Several individuals have expressed concern that their health
insurer has threatened to deny benefits unless they provide extensive
identifying information such as Social Security numbers and birth records.

Required forms of identification is one area where individuals,
providers, and insurers need guidance from HHS. On the one hand, individuals
are quite concerned today about the threat of identity theft and have been
educated, as a preventive measure, to closely guard personal information,
particularly their Social Security number. On the other hand, medical identify
theft is a major problem, the scope of which has only recently come to light.
This is truly an area where balancing interests through guidance from the
government is needed.

D. Data Breaches

In 2005 the PRC began to compile a chronology of data
breaches documented primarily by news reports. By August 26, 2010, the PRC had
compiled a record of more than 500 million sensitive records that had been
involved in a data breach incident. PRC’s August report is available at: www.privacyrights.org/500-million-records-breached
.

The PRC’s list of data breaches is found here: http://www.privacyrights.org/data-breach#CP
. Please note that the user can create customized lists by type of breached
entity (medical, for example, or educational), type of breach (portable media,
for example) and the year.

As of this writing, since 2005, 14,534,477 sensitive medical
records have been involved in data breach incidents. Information exposed has
included all manner of personal data including medical diagnoses, Social
Security numbers, driver’s license numbers, name, home address, birth dates,
financial account information, and more. Alarming as this number is, it is even
more troublesome to find that many of these breach incidents involved electronic
medical records stored unencrypted on lost or stolen electronic devices, data
that is subject to the HIPAA Security Rule.

Without a doubt, the unacceptable number of incidents
involving sensitive medical records points to an urgent need for HHS to take a
strong stand in enforcing the Security Rule and in seeking adequate remedies
against entities that fail to provide adequate safeguards.

Our most immediate concern is that HHS has created an
unwarranted loophole in HITECH’s clear mandate that communications in which a
covered entity receives payment is a “marketing” communication that requires
the individual’s authorization. We strongly urge HHS to reconsider this
proposed exception to marketing when communications are for treatment.

We also urge HHS to take prompt steps to establish much
needed guidance and education facilities in regional offices. HHS should
consider establishing a telephone hotline, an online inquiry form, and/or a
public forum to provide direct, one-on-one answers to individuals and covered
entities. As discussed in Part 3 above, PRC’s experience has shown that all
parties involved have both misunderstandings and a lack of basic knowledge
about medical privacy and the limitations of the rules. HIPAA, without
question, is a very complex set of rules, and the guidance needed goes beyond
what can be accomplished through written materials alone.

Again, the PRC appreciates the opportunity to provide the
above comments on the proposed modifications to the HIPAA rules required by
HITECH.

The
Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy
organization based in San Diego,
CA, and established in 1992. The
PRC advises consumers on a variety of informational privacy issues, including
financial privacy, medical privacy and identity theft, through a series of fact
sheets as well as individual counseling available via telephone and e-mail. It
represents consumers’ interests in legislative and regulatory proceedings on
the state and federal levels. www.privacyrights.org